FAQ for Integrating Azure with Red Canary

Issue

Frequently asked questions regarding the technical aspects of Red Canary's Azure integration.

Environment

Red Canary Portal
Azure integration

Resolution

How long will the integration be in "Provisioning" status?
What happens during provisioning?
What is Azure Lighthouse?
How does Red Canary use Lighthouse access?
Can we integrate Azure without using Lighthouse?
Can Red Canary's Lighthouse permissions be further restricted or customized?
Can I delete Red Canary's Service Provider Offerings in Lighthouse after provisioning completes?
How is data exported to Red Canary?
Why do I not see any Diagnostics enabled on Storage Account resources?
Why is my Entra ID integration no longer receiving data after provisioning Azure?
Why is Red Canary reporting fewer subscriptions than are in my tenant?
What is the significance of these Red Canary policies in my tenant?
Can I send additional log types to my Log Analytics Workspace and/or use it for other purposes?
Where can I find more information about Red Canary's Azure integration?

How long will the integration be in "Provisioning" status?

Provisioning can take up to 2 hours or more under normal circumstances, as it is an automated process that takes place at scheduled intervals. During this time, the integration status will show as "Provisioning" status in Red Canary Portal.

What happens during provisioning?

Provisioning involves two primary stages. First, a dedicated Event Hub for the integration is created in Red Canary's Azure tenant. Next, Red Canary creates the Diagnostic Settings and data exports in the integrated tenant using Azure Lighthouse access.

If an Entra ID integration was previously configured for the Azure tenant, data ingest of Entra telemetry will cease until provisioning is complete, as the existing data export will be deleted and replaced with the new Event Hub details.

What is Azure Lighthouse?

Azure Lighthouse is Microsoft's service designed specifically for secure cross-tenant management. It enables service providers like Red Canary to access and manage an organization's Azure environment in a controlled, auditable manner without requiring direct tenant access. Microsoft views Azure Lighthouse as the most secure and modern architecture for cross-tenant data access.

How does Red Canary use Lighthouse access?

Red Canary uses Lighthouse for the following purposes.

Collect Security Telemetry: Access Entra ID logs, Azure Activity Logs, and Azure Resource Logs needed for threat detection
Manage Diagnostic Settings: Configure and maintain log exports from Log Analytics Workspaces to Red Canary's Event Hubs
Monitor Environment Health: Enumerate Azure resources to ensure comprehensive monitoring coverage and proper licensing
Enable Automated Remediation: Repair broken diagnostic settings to maintain continuous security coverage

Can we integrate Azure without using Lighthouse?

No, not at this time. Microsoft does not support alternative mechanisms for this type of cross-tenant data access, and Red Canary's comprehensive approach to Azure monitoring requires the capabilities that only Lighthouse provides.

Can Red Canary's Lighthouse permissions be further restricted or customized?

No. Because Lighthouse doesn’t support custom roles, access must be granted using Microsoft's built-in role structure. The roles granted via Lighthouse are the minimum required roles that provide Red Canary with the permissions necessary for security monitoring. The granted permissions do not allow Red Canary to read an organization's data plane nor grant global administrator/owner access.

Can I delete Red Canary's Service Provider Offerings in Lighthouse after provisioning completes?

No, the Service Provider Offerings are a persistent requirement for Red Canary's purposes described in How does Red Canary use Lighthouse access?

How is data exported to Red Canary?

Data is sent from integrated tenants to a Red Canary-owned Event Hub in the following places.

Data Type	Method of Egress & Where to View	What Data is Sent?
Entra ID logs	Log Analytics Workspace > Settings > Data Export Rules > RC-Entra-Data-Export (Data Export)	AuditLogs SigninLogs AADManagedIdentitySignInLogs AADServicePrincipalRiskEvents AADServicePrincipalSignInLogs ADFSSignInLogs AADUserRiskEvents
Subscription-level activity	Subscriptions > [Subscription] > Activity Logs > Export Activity Logs > RC-Logs (Diagnostic Setting)	ActivityLogs
Key Vault logs	[Key Vault resource] > Monitoring > Diagnostic Settings > RC-Logs (Diagnostic Setting)	KeyVaultActivityLogs
Defender for Cloud alerts	Resource Groups > RCAutomation > Manage View > Show Hidden Types > RedCanaryDefenderForCloudExport (Automation)	Alerts

Attempts to view the export settings may fail with a permission error. This is expected because the viewer does not have read access to Red Canary's tenant to view the Event Hub destination.

Why do I not see any Diagnostics enabled on Storage Account resources?

At this time, Red Canary does not export Storage Account logs for analysis due to their low-fidelity content.

Why is my Entra ID integration no longer receiving data after provisioning Azure?

Entra ID telemetry volume is now reported under the Azure integration to avoid duplicative data. This support article details the process further.

Why is Red Canary reporting fewer subscriptions than are in my tenant?

This typically happens for one of three possible reasons.

No Lighthouse Access: The most likely is typically Red Canary has not been granted access via Lighthouse. See Why Is an Azure Subscription Missing in Red Canary? for additional guidance.
Out of Management Group Scope: When integrating Azure at any management group level other than root tenant, any subscriptions outside of the integrated management group will not be visible to Red Canary.
Over Subscription Cap: By default, Red Canary caps Azure integrations at 2,000 subscriptions (inclusive of Visual Studio Subscriptions). If your tenant exceeds this, reach out to Red Canary Support for further assistance.

What is the significance of these Red Canary policies in my tenant?

During onboarding, two policies are created in Azure Policy.

RC Azure Log Ingest: This policy delegates Red Canary's Red Canary - Azure Log Ingest Service Provider Offering to subscriptions in your tenant. Non-compliant subscriptions should be remediated as this delegation is what grants Red Canary permissions necessary to monitor the subscription.
RC Automation Resource Group: This policy uses a deployIfNotExists policy definition to create a resource group in each subscription, called RCAutomation. Once created, Red Canary adds automation in the resource group to export Defender for Cloud alerts for resources in that subscription.

Can I send additional log types to my Log Analytics Workspace and/or use it for other purposes?

Yes, you are free to send any additional desired data to the workspace, but the data will not be sent to Red Canary for analysis or monitoring. This is because Red Canary applies a data export to only forward the Entra ID log tables documented here.

Log Analytics Workspaces support up to 10 data exports per workspace, meaning you can generally use the workspace for other third-party integrations or workflows without impact to Red Canary. See this support article for additional details.

Where can I find more information about Red Canary's Azure integration?

If your question is not answered in this FAQ, you may also refer to the following documentation.